A: Security context principle
The security context is a simple, consistent access control attribute, in SELinux, where the type identifier is the primary component of the security context, and for historical reasons, the type of a process is often referred to as a domain, "domain" and "domain type" meaning the same, that is, both in the security context. TYPE ".
key differences between 1:dac and Mac (root user)
Security-Enhanced Linux (SELinux) started as a core set of components and user tools launched by the NSA and added to a Linux system, allowing applications to run at the minimum permissions they need. The unmodified Linux system uses autonomous access control, and the user can request a higher level of permission, so that the malware can access almost any file it wants to access, and if you grant it root, it will do the right.
There is no concept of root in SELinux, the security policy is defined by the administrator, and no software can replace it. This means that the damage that potential malware can inflict can be minimized. In general, only enterprise users who are very focused on data security will use SELinux.
The operating system has two types of access control: Autonomous access Control (DAC) and mandatory access control (MAC). Standard Linux security is a dac,selinux for Linux that adds a flexible and configurable Mac.
The common weakness of all DAC mechanisms is that they do not recognize the most fundamental difference between a natural person and a computer program. Simply put, if a user is authorized to access, meaning that the program is also authorized to access, if the program is authorized to access, then the malicious program will have the same access rights. The fundamental weakness of the DAC is that the subject is vulnerable to a variety of malware attacks, and Mac is the way to avoid these attacks, and most Mac features make up a multi-layered security model.
SELinux implements a more flexible form of Mac, called type coercion (type enforcement) and a non-mandatory multi-layered security form (multi-level).
2: Security Context Format interpretation
[Email protected] ~]# ls-ldz/mnt/drwxr-xr-x. Root root system_u:object_r:mnt_t:s0/mnt/[[email protected] ~]# ls-ldz/var/ftp/pub/drwxr-xr-x. Root root system_u:object_r:public_content_t:s0/var/ftp/pub/
①user
1) useridentity: A uid similar to a Linux system that provides identity identification, which is used to record identity, part of the security context;
2) Three kinds of common user:
User_u: The default after the normal user login system;
System_u: The system process preset during the boot process;
Root:root the default after login;
3) Users are not very important in targeted policy;
4) It is important in strict policy that all default SELinux Users end With "_u", except for root.
②role
1) Role of files, directories and devices: usually object_r;
2) Role of the program: usually System_r;
3) The user's role:targeted policy is system_r; strict policy is sysadm_r, Staff_r, user_r; role of the user, GID in a similar system, different roles have different permissions User can have multiple role, but only one role at a time;
4) Use the RBAC (Roles Based AccessControl)-based strict and MLS policies to store role information
③type
1) Type: Used to divide the subject (subject) and object (object) into different groups, define a type for each subject and the object in the system, and provide the lowest permission environment for the running of the process;
2) When a type is associated with a process in progress, its type is also known as domain;
3) Type is the most important part of the SELinux security context and is the heart of the SELinux Type enforcement, with a preset value ending in _t;
operating mechanism of 3:selinux
The SELinux decision process is as follows:
650) this.width=650; "Src=" http://img.blog.csdn.net/20130809153255828?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvtxlbcnjvdw==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity/ Southeast "/>
Photo source Cnds
When a subject (for example: an application) tries to access an object (such as a file), the policy execution server in kernel will check for AVC (Access Vector cache), in AVC, subject and object permissions are cached ( Cached). If a decision is not made based on the data in the AVC, the security server is requested, and the security server looks for the "app + file" security environment in a matrix. It then allows or denies access based on the results of the query, and the reject message details are located in/var/log/messages.
II: SELinux Application
Three states of the 1:selinux
Disable #关闭, i.e. without a security context
Enforcing #强制开启
Peimissing #警告模式
2: Change SELinux status
(1) configuration file See direct change
[[email protected] ~]# Vim/etc/selinux/config # #selinux配置文件 selinux=enforcing # #要改变状态在此处 = later change
To close the SELinux method:
Modify the Selinux= "" in the/etc/selinux/config file to Disabled, and then restart.
If you do not want to restart the system, use the command Setenforce 0
# If you want to start SELinux, you can not appear selinux=0 the words behind kernel!
(2) setenforcing
[Email protected] ~]# Setenforce 0 # #设置seinux状态为peimissing [[email protected] ~]# Getenforce # #查看selinux状态Permissive [Email protected] ~]# Setenforce 1 # #设置selinux状态为enforcing [[email protected] ~]# Getenforce enforcing
Note: This command cannot be executed in disabled case
[Email protected] desktop]# getenforce disabled[[email protected] desktop]# setenforce 0setenforce:selinux is disabled[ [Email protected] desktop]# Setenforce 1setenforce:selinux is disabled
3: View security context
Ls-z File|dir # #查看文件安全上下文 '
Semanage Fcontext-l # #显示系统中所有安全上下文
Semanage Fcontext-l | grep/var/ftp/# #过滤安全上下文
Semanage Fcontext-l | Grep/zpy
4: Change the security context
(1) Temporary changes
Chcon-t public_content_t/zpy/# #更改用户上下文 Temporary changes
(2) Permanent changes
Semanage fcontext-a-T public_content_t "/zpy (/.*)?" # #更改安全上下文 "/zpy (/.*)?" Represents all characters in a matching file, permanently changing
restorecon-rvvf/zpy/# #对此文件加载
5. View the SELinux policy
[Email protected] oracle]# Sestatus
SELinux status:enabled <== whether to start SELinux
SELINUXFS Mount:/selinux <==selinux related file data mount point
Current mode:enforcing <== mode
Mode from config file:enforcing <== profiles specified
Policy version:21
Policy from config file:targeted <== What are the current policies?
Three: Boolean
(1) The Getsebool command is a Boolean value that is used to query the rules within the SELinux policy. SELinux Policy and rule Management related commands:seinfo command,sesearch command, Getsebool command,setsebool command,semanage command.
Getsebool-a
-A: Lists all Boolean terms above the current system set to on or off values.
(2) Setsebool
The Setsebool command is a Boolean value used to modify the rules within the SELinux policy. The Setsebool command and the Getsebool command are a set of tools that SELinux modifies and queries Boolean values.
Allow VSVTP Anonymous user write permission:
Setsebool-p allow_ftpd_anon_write=1
-P: Writes the setting value directly to the configuration file, which will take effect in the future.
Four: Application
How do I allow anonymous users to upload? 、
(1): In the case of SELinux allowed to upload, SELinux open the premise of uploading
Vim/etc/vsftpd/vsftpd.conf
Local_enable=yesanon_upload_enable=yes
chmod 775/var/ftp/pub/
CHGRP FTP pub/,
(2) when SELinux is enforcing
Semanage fcontext-a-T public_content_rw_t "/var/ftp/pub (/.*)?" # #给/var/ftp/pubselinux Tag executable permissions Restorecon-rvvf/var/ftp/pub # #重新加载文件
(3) Turn on SELinux upload permissions for anonymous users
getsebool-a | grep ftpsetsebool-p Ftp_home_dir on
Note: View logs to resolve SELinux issues
When the security context is not matched or there is a problem, we can view the log, the log is a workaround if there is setroubleshoot-3.2.17-2.el7.x86_64 software
This article is from the "12462896" blog, please be sure to keep this source http://12472896.blog.51cto.com/12462896/1955691
SELinux Security Context